Legal & Compliance

Merchant documentation

Published: 27.11.2023

Updated: 04.04.2024

All merchants accepting credit card payments must comply with the PCI DSS requirements. However, the requirements differ in relation to how merchants must provide documentation for meeting the security standard.

Depending on the revenue, merchants must provide different documentation for meeting the PCI DSS requirements. The rules apply to all types of agreement.

The different levels and the rules for documentation

Merchants with more than six million transactions annually (level 1)*

You must carry out an annual revision performed by a Qualified Security Assessor (QSA), and also, quarterly network scanning performed by an Approved Scanning Vendor (ASV).

* and merchants determined by the card associations as Level 1 merchant

Merchants with one to six million transactions annually (level 2)

You must fill out a PCI questionnaire** once a year or carry out an annual revision performed by a QSA. Furthermore, depending on the technical environment, you must quarterly carry out a network scanning performed by an ASV. ** Self Assessment Questionnaire (SAQ) types A, A-EP and D require to be certified by an approved PCI Internal Security Assessor (ISA) or Qualified Security Assessor (QSA).

Web shops with 20,000 to one million transactions annually (level 3)

You must fill out a PCI questionnaire once a year. Furthermore, a quarterly network scanning performed by an ASV might have to be carried out.

All other merchants (level 4)

You must complete an annual questionnaire and network scan on request.

Nets recommends that you carry out a network scanning, and also fill out a PCI questionnaire once a year. All level 4 merchants must meet the PCI DSS requirements. Most data theft happen with small and medium size merchants without the necessary security.

List of Qualified Security Assessors (QSA) – businesses certified to carry out system revisions which must comply with the PCI DSS requirements.